Vulnerabilities > CVE-2009-1469 - Code Injection vulnerability in Icewarp Email Server and Webmail Server

047910
CVSS 4.3 - MEDIUM
Attack vector
NETWORK
Attack complexity
MEDIUM
Privileges required
NONE
Confidentiality impact
PARTIAL
Integrity impact
NONE
Availability impact
NONE
network
icewarp
CWE-94
nessus
exploit available

Summary

CRLF injection vulnerability in the Forgot Password implementation in server/webmail.php in IceWarp eMail Server and WebMail Server before 9.4.2 makes it easier for remote attackers to trick a user into disclosing credentials via CRLF sequences preceding a Reply-To header in the subject element of an XML document, as demonstrated by triggering an e-mail message from the server that contains a user's correct credentials, and requests that the user compose a reply that includes this message.

Vulnerable Configurations

Part Description Count
Application
Icewarp
176

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Leverage Executable Code in Non-Executable Files
    An attack of this type exploits a system's trust in configuration and resource files, when the executable loads the resource (such as an image file or configuration file) the attacker has modified the file to either execute malicious code directly or manipulate the target process (e.g. application server) to execute based on the malicious configuration parameters. Since systems are increasingly interrelated mashing up resources from local and remote sources the possibility of this attack occurring is high. The attack can be directed at a client system, such as causing buffer overrun through loading seemingly benign image files, as in Microsoft Security Bulletin MS04-028 where specially crafted JPEG files could cause a buffer overrun once loaded into the browser. Another example targets clients reading pdf files. In this case the attacker simply appends javascript to the end of a legitimate url for a pdf (http://www.gnucitizen.org/blog/danger-danger-danger/) http://path/to/pdf/file.pdf#whatever_name_you_want=javascript:your_code_here The client assumes that they are reading a pdf, but the attacker has modified the resource and loaded executable javascript into the client's browser process. The attack can also target server processes. The attacker edits the resource or configuration file, for example a web.xml file used to configure security permissions for a J2EE app server, adding role name "public" grants all users with the public role the ability to use the administration functionality. The server trusts its configuration file to be correct, but when they are manipulated, the attacker gains full control.
  • Manipulating User-Controlled Variables
    This attack targets user controlled variables (DEBUG=1, PHP Globals, and So Forth). An attacker can override environment variables leveraging user-supplied, untrusted query variables directly used on the application server without any data sanitization. In extreme cases, the attacker can change variables controlling the business logic of the application. For instance, in languages like PHP, a number of poorly set default configurations may allow the user to override variables.

Exploit-Db

descriptionIceWarp Merak Mail Server 9.4.1 'Forgot Password' Input Validation Vulnerability. CVE-2009-1469. Webapps exploit for php platform
idEDB-ID:32986
last seen2016-02-03
modified2009-05-05
published2009-05-05
reporterRedTeam Pentesting GmbH
sourcehttps://www.exploit-db.com/download/32986/
titleIceWarp Merak Mail Server 9.4.1 - 'Forgot Password' Input Validation Vulnerability

Nessus

NASL familyCGI abuses
NASL idICEWARP_9_4_2.NASL
descriptionThe remote host is running IceWarp WebMail Server - a webmail server for Windows and Linux. According to its banner, the version of IceWarp installed on the remote host is earlier than 9.4.2. Such versions may reportedly be affected by multiple vulnerabilities : - A SQL injection vulnerability exists in the search form of the web-based groupware component. (CVE-2009-1468) - A cross-site scripting vulnerability exists because the application fails to properly sanitize HTML emails. An attacker can exploit this flaw through the
last seen2020-06-01
modified2020-06-02
plugin id38717
published2009-05-08
reporterThis script is Copyright (C) 2009-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
sourcehttps://www.tenable.com/plugins/nessus/38717
titleIceWarp Merak WebMail Server < 9.4.2 Multiple Vulnerabilities
code
#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(38717);
  script_version("1.16");
  script_cvs_date("Date: 2019/01/02 11:18:37");

  script_cve_id("CVE-2009-1467", "CVE-2009-1468", "CVE-2009-1469");
  script_bugtraq_id(34820, 34823, 34825, 34827);
  script_xref(name:"Secunia", value:"34912");

  script_name(english:"IceWarp Merak WebMail Server < 9.4.2 Multiple Vulnerabilities");
  script_summary(english:"Checks version of IceWarp");

  script_set_attribute(attribute:"synopsis", value:
"The remote webmail server is affected by multiple vulnerabilities.");
  script_set_attribute(attribute:"description", value:
"The remote host is running IceWarp WebMail Server - a webmail
server for Windows and Linux.

According to its banner, the version of IceWarp installed on the
remote host is earlier than 9.4.2.  Such versions may reportedly be
affected by multiple vulnerabilities :

  - A SQL injection vulnerability exists in the search form 
    of the web-based groupware component. (CVE-2009-1468)

  - A cross-site scripting vulnerability exists because the
    application fails to properly sanitize HTML emails. An
    attacker can exploit this flaw through the 'cleanHTML()' 
    function of the 'html/webmail/server/inc/tools.php' 
    script. (CVE-2009-1467)

  - A cross-site scripting vulnerability exists because the
    application fails to properly sanitize RSS feeds. An
    attacker can exploit this flaw through the 'cleanHTML()' 
    function of the 'html/webmail/server/inc/rss/rss.php' 
    script. (CVE-2009-1467)

  - An input validation flaw exists in the 'Forgot Password'
    function on the login page. (CVE-2009-1469)

  - A specially crafted HTTP request may allow an attacker
    to disclose the contents of PHP files.

An attacker could exploit these flaws to steal user-based credentials,
create arbitrary files, or possibly execute arbitrary code subject to 
the privileges of the affected application.");
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?866c85a5");
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?df2ecfe5");
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?f6eab1aa");
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?a296894e");
  script_set_attribute(attribute:"solution", value:
"Upgrading to IceWarp 9.4.2 or later reportedly fixes the problems.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_cwe_id(79, 89, 94);

  script_set_attribute(attribute:"plugin_publication_date", value: "2009/05/08");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:icewarp:webmail");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"CGI abuses");

  script_copyright(english:"This script is Copyright (C) 2009-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("smtpserver_detect.nasl", "popserver_detect.nasl", "doublecheck_std_services.nasl", "http_version.nasl");
  if ( NASL_LEVEL >= 3000)
    script_require_ports("Services/smtp", 25, "Services/pop3", 110, "Services/nntp", 119, "Services/imap", 143, "Services/www", 32000);
  script_require_keys("www/icewarp");
  exit(0);
}

include("global_settings.inc");
include("misc_func.inc");
include("http.inc");
include("imap_func.inc");
include("pop3_func.inc");
include("smtp_func.inc");

# Make sure the webmail component is accessible.
http_port = get_http_port(default:32000);

banner = get_http_banner(port:http_port);
if (!banner) exit(1, "No HTTP baner on port "+http_port);
if ("IceWarp" >!< banner) exit(0, "The web server on port "+http_port+" is not IceWarp");

# Try to get the version number from a banner.
ver = NULL;
service = NULL;

#
# - HTTP
if (isnull(ver))
{
  pat = "IceWarp/([0-9\.]+)";
  matches = egrep(pattern:pat, string:banner);
  
  if (matches)
  {
    foreach match (split(matches, keep:FALSE))
    {
      item = eregmatch(pattern:pat, string:match);
      if (!isnull(item))
      {
        ver = item[1];
        service = "HTTP";
        break;
      }
    }
  }
}

#
# - SMTP
if (isnull(ver))
{
  ports = get_kb_list("Services/smtp");
  if (isnull(ports)) ports = make_list(25);

  foreach port (ports)
  {
    if (get_port_state(port))
    {
      banner = get_smtp_banner(port:port);
      if (banner && (" ESMTP IceWarp " >< banner || " ESMTP Merak " >< banner))
      {
        pat = " ESMTP (IceWarp|Merak) ([0-9\.]+);";
        matches = egrep(pattern:pat, string:banner);
        if (matches)
        {
          foreach match (split(matches))
          {
            match = chomp(match);
            item = eregmatch(pattern:pat, string:match);
            if (!isnull(item))
            {
              ver = item[2];
              service = "SMTP";
              break;
            }
          }
        }
      }
      if (isnull(ver) && !thorough_tests) exit(0);
    }
    if (!isnull(ver)) break;
  }
}

#
# - POP3
if (isnull(ver))
{
  ports = get_kb_list("Services/pop3");
  if (isnull(ports)) ports = make_list(110);

  foreach port(ports)
  {
    if (get_port_state(port))
    {
      banner = get_pop3_banner(port:port);
      if (banner && " POP3 " >< banner && (" IceWarp " >< banner || " Merak" >< banner))
      {
        pat = " (IceWarp|Merak) ([0-9\.]+) POP3 ";
        matches = egrep(pattern:pat, string:banner);
        if (matches)
        {
          foreach match (split(matches))
          {
            match = chomp(match);
            item = eregmatch(pattern:pat, string:match);
            if (!isnull(item))
            {
              ver = item[2];
              service = "POP3";
              break;
            }
          }
        }
      }
      if (isnull(ver) && !thorough_tests) exit(0);
    }
    if (!isnull(ver)) break;
  }
}

#
# - IMAP
if (isnull(ver))
{
  ports = get_kb_list("Services/imap");
  if (isnull(ports)) ports = make_list(143);
  foreach port (ports)
  {
    if (get_port_state(port))
    {
      banner = get_imap_banner(port:port);
      if (banner && " IMAP4" >< banner && (" IceWarp " >< banner || " Merak " >< banner))
      {
        pat = " (IceWarp|Merak) ([0-9\.]+) IMAP4";
        matches = egrep(pattern:pat, string:banner);
        if (matches)
        {
          foreach match (split(matches))
          {
            match = chomp(match);
            item = eregmatch(pattern:pat, string:match);
            if (!isnull(item))
            {
              ver = item[2];
              service = "IMAP";
              break;
            }
          }
        }
      }
      if (isnull(ver) && !thorough_tests) exit(0);
    }
    if (!isnull(ver)) break;
  }
}

if (ver && ver =~ "^[0-8]\.[0-9\.]+|9\.([0-3]\.[0-9\.+]|4\.[0-1])$")
{
  set_kb_item(name:'www/'+http_port+'/XSS', value:TRUE);
  set_kb_item(name:'www/'+http_port+'/SQLInjection', value:TRUE);

  if (report_verbosity > 0)
  {
    report = string(
      "\n",
      "According to its ", service, " banner, the remote host is running IceWarp \n",
      "Merak WebMail Server version ", ver, ".",
      "\n"
    );
    security_warning(port:http_port, extra:report);
  }
  else security_warning(http_port);
}

Packetstorm

data sourcehttps://packetstormsecurity.com/files/download/77272/rt-sa-2009-004.txt
idPACKETSTORM:77272
last seen2016-12-05
published2009-05-05
reporterredteam-pentesting.de
sourcehttps://packetstormsecurity.com/files/77272/IceWarp-WebMail-Mail-Forgery.html
titleIceWarp WebMail Mail Forgery

Seebug

bulletinFamilyexploit
descriptionBUGTRAQ ID: 34827 CVE(CAN) ID: CVE-2009-1469 Merak Email Server是一个全面的办公室局域网或Internet通讯邮件解决方案。 Merak邮件服务器的WebMail模块在登陆页面提供了“忘记口令”取回功能,忘记了登录口令的用户可以在这里向邮件服务器提供他们的邮件地址,之后服务器检查系统中是否存在这个地址并将相关的用户口令发回到这个地址。 在点击Forgot Password页面的提交按键时,所发送的HTTP POST请求包含有类似于以下的负载: ------------------------------------------------------------------------ &lt;iq type=&quot;set&quot;&gt; &lt;query xmlns=&quot;webmail:iq:auth&quot;&gt; &lt;forgot&gt;[email protected]&lt;/forgot&gt; &lt;captcha uid=&quot;5861146275903694001237908440543&quot;&gt;Z2JK 3WWY&lt;/captcha&gt; &lt;subject&gt;Your password for %EMAIL%&lt;/subject&gt; &lt;message&gt; Dear %FULLNAME%, your login data for webmail are following: Username: %USERNAME% Password: %PASSWORD% This email was sent to: %EMAIL%, %ALTEMAIL%. &lt;/message&gt; &lt;/query&gt; &lt;/iq&gt; ------------------------------------------------------------------------ 邮件的消息内容是由HTTP POST请求而不是服务器端指定的,因此可以控制内容。 系统会使用服务器的数据替换掉百分号(%)字符之间的变量,识别出以下变量: %FULLNAME% 用户全名(姓和名) %USERNAME%, %USER% 用户名 %PASSWORD% 用户账号口令 %EMAIL% 邮件地址 %ALTEMAIL% 备用邮件地址 %REMOTEIP% 服务器的远程IP地址 通过向消息的主题中注入换行符,还可以向邮件添加额外的首部。但邮件系统不会解析这些首部,仅会出现在web前端,例如添加额外的To:、Cc:或Bcc:头。添加了这些误导性内容的邮件有助于攻击者执行社会工程学攻击。 Icewarp WebMail Server 9.4.1 Icewarp ------- 目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载: <a href=http://www.icewarp.com/ target=_blank rel=external nofollow>http://www.icewarp.com/</a>
idSSV:11212
last seen2017-11-19
modified2009-05-06
published2009-05-06
reporterRoot
sourcehttps://www.seebug.org/vuldb/ssvid-11212
titleIceWarp WebMail口令取回功能输入验证漏洞